Python One-Liners with Base64 Decoding - Linux

 1title: Python One-Liners with Base64 Decoding - Linux
 2id: 55e862a8-dd9c-4651-807a-f21fcad56716
 3related:
 4    - id: 50a0aa3d-ab16-4594-a8aa-5145a6e6792b
 5      type: similar
 6status: experimental
 7description: |
 8    Detects the use of Python's base64 decoding functions in command line executions on Linux systems.
 9    Malicious scripts often use python one-liners to decode and execute base64-encoded payloads, which is a common technique for obfuscation and evasion.    
10references:
11    - https://docs.python.org/3/library/base64.html
12    - https://www.virustotal.com/gui/file/bc43e925d7b4b74319f6e74e836a96f1997ba404e14ac566cf12a21e9da463db/behavior
13    - https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites
14author: Hugh Ryan (HueCodes), Swachchhanda Shrawan Poudel (Nextron Systems)
15date: 2026-03-09
16tags:
17    - attack.execution
18    - attack.t1059.006
19    - attack.defense-evasion
20    - attack.t1027.010
21logsource:
22    category: process_creation
23    product: linux
24detection:
25    selection_img:
26        Image|contains: '/python'
27    selection_cli:
28        CommandLine|contains|all:
29            - 'import'
30            - 'base64'
31            - ' -c'
32        CommandLine|contains:
33            - '.decode'
34            - 'b16decode'
35            - 'b32decode'
36            - 'b32hexdecode'
37            - 'b64decode'
38            - 'b85decode'
39            - 'z85decode'
40    condition: all of selection_*
41falsepositives:
42    - Legitimate use of Python for decoding data, which is uncommon in typical enterprise environments but possible in development or data analysis contexts.
43level: high

References

• base64 — Base16, Base32, Base64, Base85 Data Encodings

  

  Source code: Lib/base64.py This module provides functions for encoding binary data to printable ASCII characters and decoding such encodings back to binary data. This includes the encodings specifi...

  
  Read More

• VirusTotal

  VirusTotal

  
  Read More

• Text-to-Malware: How Cybercriminals Weaponize Fake AI-Themed Websites | Google Cloud Blog

  

  Cybercriminals are using fake AI-themed ads and websites to deliver malware such as infostealers and backdoors.

  
  Read More

Related rules

• Python One-Liners with Base64 Decoding
• Axios NPM Compromise Indicators - Linux
• Suspicious Explorer Process with Whitespace Padding - ClickFix/FileFix
• Suspicious Usage of For Loop with Recursive Directory Search in CMD
• Suspicious Space Characters in RunMRU Registry Path - ClickFix